Donald S. Clark

Secretary
Federal Trade Commission
Room H-159, 600 Pennsylvania Avenue, NW
Washington, D.C. 20580

Dear Mr. Clark:

Consumers Union, the publisher of Consumer Reports, appreciates this opportunity to comment on the Federal Trade Commission's (Commission) proposed Children's Online Privacy Protection Rule.

The Commission should be commended for developing comprehensive regulations that will serve to protect America's children in the online world. The proposed rule places control of information collected from and about children where it belongs, and where Congress intended it to be when it passed the Children's Online Privacy Protection Act of 1998 (COPPA), with parents.

Online protection for kids must:

Not exploit kids' inexperience and vulnerability. Attempts to do research or glean personal information shouldn't be disguised as entertainment, and prices shouldn't be used to induce kids to provide personal information.

Be widely available and easily implemented, even by adults who aren't computer literate.

Provide a foolproof way to communicate directly with parents, rather than rely on having kids get permission to visit a site.

The Commission has addressed these concerns in a fair and even-handed way in its proposed rule. The proposed rule is unlikely to be unduly burdensome for operators of websites.

Consumers Union recognizes the benefits of the World Wide Web, especially in opening doors to the world through access to a variety of sites containing a lifetime of information. But it is also a medium where children can be placed at risk, especially when asked to provide personal information about themselves, their family and friends. With the ever expanding and increasing use of the World Wide Web, by both adults and children, it was appropriate and timely that Congress passed COPPA and, subsequently, that the Commission propose these regulations. Website operators should not be surprised that the American public, Congress, and the Commission all realize that children need protections in the online world.

As technology develops, so must the vigilance of Congress, regulators, and parents -- to ensure continued protection for children and to use new technology to provide for further protections consistent with the goals and requirements of COPPA. In a positive way, as technology changes so will the ability to ensure that children are better protected online. The proposed rule appears to provide sufficient flexibility to put new technologies to work in achieving the goals of COPPA.

Consumers Union supports the comments filed by the Center for Media Education (CME), together with other groups in this matter.

These comments will discuss the following:

First, children must be protected against the online collection of personal information without a parent's prior informed and verifiable consent.

Second, the Commission should close potential loopholes in the proposed rule that could allow operators to circumvent the intent of COPPA.

Third, the Commission should ensure that parents receive a simple and comprehensive notice of policies, that information on the collection, use and dissemination of the information be complete and accurate, and that there be a means to verify parental consent in cases where a parent makes an informed choice.

Fourth, the Commission should ensure that information previously collected from children is given the same protection as future collected information.

Finally, the Commission should exercise care in providing a safe harbor for self-regulatory efforts

I. Children must be protected against the online collection of personal information without a parent's prior informed and verifiable consent.

In response to the need to protect children online, and in light of industry's failure to act in a meaningful way to do so, Congress passed, and the President signed COPPA. A key element of COPPA is that operators of websites get parental consent prior to collecting, using, or disclosing information from children. The Commission's mandate is clear -- to implement COPPA in a way that protects the interests of America's children.

Consumers Union fails to see any compelling commercial interest to allow a website to collect personal information from children without their parent's knowledge or consent. A commercial website, under the proposed regulations will, in fact, be able to collect and use such information. It simply has to inform the child's parents about what type of information will be collected, how it will be used, whether it will be shared, and then obtains the parent's consent. Congress was clear in it's intent when it passed COPPA -- that the interests of children and not that of industry be protected.

II. The Commission Should Close Potential Loopholes in the Proposed Rule That Could Allow Operators to Circumvent the Intent of COPPA.

While the proposed rule is comprehensive, there is a need to ensure that it will not be misinterpreted to allow operators and third parties to circumvent the intent of COPPA. There are several provisions that should be clarified to close possible loopholes in the proposed rule.

The Commission should include circumstances where offline and online information are combined for the purposes of marketing to the child online in the coverage of the definition of collected information.

The Commission should further ensure that the definitions of third party and operator are sufficient to avoid any loopholes that would allow a party to circumvent the intention of COPPA. The Commission should include collection by third parties, otherwise website operators could circumvent the goals of COPPA by using a third party, unaffiliated or not, to use the information on the operators' behalf. For example, it should be clarified that operators cannot transfer information collected from children to other entities that are not limited by the same restrictions as operators.

Information stored in cookies should be considered online contact information. Using information stored in cookies a website can identify and individually address a child.

Care must be given so that sites which may be general in nature, nevertheless, could attract younger visitors. This is especially relevant if the operator of a general site knows that a visitor to the site is a child, either directly through specific questions, or indirectly through the nature of a question and a response indicates that the visitor is a child. Websites should not be allowed to "construct a veil of ignorance" by drafting questions in such a way that skirts asking the age of the child, but otherwise indicates how old the child is likely to be.

Care must also be taken when a portion of a website or online service is directed at children. The definition should include both clearly labeled children's pages as well as where specific requests for information are directed at children or where it is apparent that children are responding. This concept should also apply where a child enters a site which does not fall under the purview of a site directed at children, but then allows a child to link to other sites that are directed to children. Accessing a site directed to children should be considered a triggering event, not necessarily just the site of preliminary access.

The Commission should ensure that parents receive a simple and comprehensive notice of policies, that information on the collection, use and dissemination of the information be complete and accurate, and that there be a means to verify parental consent in cases where a parent makes an informed choice.

Another key element of COPPA is that parents be fully informed prior to making a decision about whether to allow information from their child to be collected online. Parents must know, among other things, who is collecting information, for what purpose the information will be used, and to what extent that information might be shared with others. Without this information it will be impossible for parents to make an informed decision about whether or not to give consent. This becomes even more vital where websites offer inducements to relinquish information and permission to use that information.

The manner of disclosure of this information should be consistent across all sites so that parents are not confused. Moreover it would be helpful for the notices to be easy to find and recognizable by having some degree of uniformity, both in style and content. Furthermore, it seems logical that one way to avoid confusion, and to keep matters simple for parents, is for multiple operators agree to a single information collection policy for each website.

In addition to a parent making a fully informed choice, it is vital to have a verifiable method for obtaining consent. This is important because it is the trigger that opens the door for the collection and use of information. Thus the methods of verifying consent must meet a high standard.

Consent through e-mail alone is currently not verifiable. There is no means to verify that an e-mail address given by a child to obtain consent is acutally the parent's. Moreover, many children may have access to a parent's e-mail account or share an e-mail address with their parents. Until technology allows for e-mail verification, there are other simple, inexpensive, and reliable methods for obtaining parental consent. A parent could provide consent via mail or fax. Forms could be printable from the website or mailed upon request. The process of printing, signing, and mailing forms adds extra steps to ensure parental involvement.

The Commission should ensure that information previously collected from children is given the same protection as future information.

Consumers Union supports the Commission's provision requiring operators to obtain verifiable parental consent before they can use information previously collected from children. Without this provision, children who had the opportunity to participate in online activities before COPPA would be denied the same privacy protections as new users. Additionally, unscrupulous operators could claim that newly collected children's information was collected prior to the enactment of the rule, making the enforcement of COPPA difficult.

V. The Commission should exercise care in providing a safe harbor for self-regulatory efforts.

The proposed rule provides a "safe harbor" for companies complying with self-regulatory guidelines that are approved by the Commission after notice and comment. It is implicit that the any guidelines approved by the Commission must meet the goals of COPPA and be consistent with the substance of the proposed rule.

Generally, the use of self-regulatory guidelines raises some concerns, but these concerns are not necessarily insurmountable. To be successful, any self-regulatory effort must be enforceable and compliance with the guidelines must be verifiable. The Commission must have the resources to verify, enforce, and take appropriate action if needed. Without the assurance of these and other similar safeguards, a self-regulatory program will not contribute to the protection of children in the online world.

Consumers Union appreciates this opportunity to comment on the proposed rule and will provide further comments as appropriate. 

Frank C. Torres, III
Legislative Counsel